Frequently asked questions

EntraAnalyzer is an automated security analysis service for Microsoft Entra ID (formerly Azure Active Directory). It scans your tenant on a daily or weekly schedule, evaluates dozens of best-practice rules, and emails a prioritized report of findings with remediation guidance.

Yes. EntraAnalyzer only requests read-only Microsoft Graph application permissions. It can never modify settings, create or delete users, or change roles or policies. See the full permissions list.

A finding is a single issue detected by one of our security rules — for example a guest user in an administrative role, an application with an expired secret, or a missing Conditional Access policy. Each finding has a severity (Critical, High, Medium, Low, or Info), a description of the risk, and a recommended remediation.

Each rule has a default severity based on industry guidance (Microsoft Secure Score, CIS Benchmarks, OWASP). Critical findings represent immediate risk of tenant compromise; High findings represent material risk; Medium and Low findings represent hygiene issues that compound over time.

All scan data is stored and processed in the European Union on Microsoft Azure (West Europe). Encryption in transit uses TLS 1.2+ and data at rest is encrypted with Azure-managed keys. See Privacy.

You choose. Scans can run daily or weekly at a time of your choosing. The first scan starts immediately after admin consent is granted.

No — it complements it. Secure Score gives you a single number; EntraAnalyzer gives you concrete, prioritized findings with the exact resources affected, delivered to your inbox without having to log in to the Entra portal.

Most rules work on any Entra ID tier. A small number of rules require Entra ID P1 or P2 (for example sign-in risk and Identity Protection events). When a rule cannot run because of missing license or permission, it is automatically marked as skipped — it does not block the rest of the scan.

Yes. Each rule can be enabled or disabled per tenant from the dashboard. Disabled rules are excluded from scans and reports.

If you cancel your subscription or revoke admin consent, all stored scan data for your tenant is permanently deleted. See Privacy for details.

Sign in with a Microsoft work or school account, grant admin consent for the read-only Graph permissions, and your first scan starts automatically. You'll receive an email report within minutes.

Email support@entraanalyzer.com — we usually respond within one business day.